As a Google Apps administrator, how can I access others' email by API?

[Jerry Wang]

I am writing a script to access all employees emails by using Google IMAP with OAuth:  https://developers.google.com/google-apps/gmail/oauth_overview   . This script should let me delete, move and export any users emails.  However, I cannot find any clue in Google API to impersonate another user to access his email. (This impersonation is easy for Google Docs, but not available for  Gmail. )     Please help,  any suggestion will be appreciate. Thanks in advance.

[Vince]

The library/sample code at the link you provided includes a class named "XoauthAuthenticator" with "getSession" and "connectToImap" methods on it.

That code works fine for 3-legged OAuth, but you need to use 2-legged OAuth access so you can impersonate users for a given domain.

For 2legged OAuth, just pass 'null' for the oauthToken and oauthTokenSecret arguments for the getSession method.  You can then pass this session in as the first argument in the connectToImap method like this:

  javax.mail.Store store =XoauthAuthenticator.connectToImap(XoauthAuthenticator.getSession(...), "imap.googlemail.com", 993, <<email address>>);

From there, you're just using a standard-issue javax.mail.Store object, and you can use the javamail docs for that.

There are a couple code changes needed for the XoauthAuthenticator and XoauthSaslResponseBuilder classes.

For reference, I was able to put the below steps together using documentation here:

    https://developers.google.com/google-apps/gmail/oauth_protocol#constructing

(especially note the "SASL Initial Client Request" section).

Assuming your application has already been granted 2LOA access to the "https://mail.google.com/" scope, the following changes should work for you:

1) change the XoauthAuthenticator class constructor to not put the following 2 key/values into the props object.  These are only used in 3-legged OAuth:

  - XoauthSaslClientFactory.OAUTH_TOKEN_PROP

  - XoauthSaslClientFactory.OAUTH_TOKEN_SECRET_PROP

2) Change the code in XoauthSaslResponseBuilder.buildResponse method that deals with putting the OAuthToken into the response.

First, remove the line:

parameters.put(OAuth.OAUTH_TOKEN, oauthToken);

Second, change the 'url' variable to append the "xoauth_requestor_id" parameter onto the URL so that the correct user's IMAP session is opened.

try {

url = String.format("%s?xoauth_requestor_id=%s", url, URLEncoder.encode(userEmail, "UTF-8"));

}

catch (UnsupportedEncodingException ex) {

// not going to happen - UTF-8 is guaranteed by every jvm

}

Good luck -

Vince.

[Jerry Wang]

Vince, Thank you very much for your detailed instruction. You are great!

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/h0i6xqnWrm4J.

To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

--

Jerry Wang

Founder of Cloud Drive Software Team, Yantai, China 

Website: www.gdocsdrive.com 

Twitter:  twitter.com/gdocsdrive

Facebook:  facebook.com/gdocsdrive

Phone:   86-135-735-66498 (only available from 9:00 AM to 8:00 PM GMT HK time)